On Wed, Sep 7, 2022 at 8:45 PM Ben Cotton <bcotton(a)redhat.com> wrote:
On Wed, Sep 7, 2022 at 2:05 PM Maxwell G via devel
<devel(a)lists.fedoraproject.org> wrote:
>
> Does anyone know how to reach prodsec about this?
I'll reach out to the people I know and see what the best way to get
them in this conversation is.
Yes, please.
I appreciate the fact that there's people who monitor security issues
and file bugs for them, but the reporting tools they use are very
broken.
The last example I have is for a CVE (from 2020) in versions 0.1.x the
"time" Rust crate, where bugs were filed a month ago, for the
following packages:
- the correct bug for rust-time0.1: RHBZ#2119559
- bug for rust-timebomb (completely unrelated package): RHBZ#2119560
- bug for rust-time-macros0.1 (wrong package): RHBZ#2119561
- bug for rust-time-macros-impl (wrong package): RHBZ#2119562
Things like that result in lots of, basically spam, emails, because
3/4 opened bugs were filed for unrelated / wrong packages.
It looks like the tooling they use does "prefix match" for component
names, which is in many cases just *wrong*.
This might also be the reason why dozens of bugs were opened for some
golang CVEs.
Another time, their automation posted the exact same comment over 200
times.
Yup, I remember that, I was at the receiving end of this spam barrage,
as well (for whatever reason I am getting CCd for all golang CVE bugs
even though I am not maintainer of golang *or* member of the go-sig).
As far as I remember, the tooling was broken because bugzilla queries
for that specific bug timed out because it had so many comments /
metadata / CC'd persons etc., and so it continued submitting the same
comment over and over (making things worse and worse, of course).
Fabio